FCA Authorisation

Crypto registration under the MLRs

How crypto FCA registration works under the Money Laundering Regulations, why it is not full authorisation, the application steps and low approval rate.

7 min read Published 17 Jul 2026
Crypto registration under the MLRs

If you plan to run a cryptoasset exchange or a custodian wallet service in the United Kingdom, you cannot simply start trading. The Financial Conduct Authority (FCA) supervises cryptoasset firms for anti-money laundering (AML) purposes, and any business carrying on in-scope cryptoasset activity must be registered with the FCA before it begins. This obligation flows from the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, commonly shortened to the MLRs.

Crypto FCA registration is frequently confused with full authorisation under the Financial Services and Markets Act. They are not the same thing. Registration under the MLRs is a narrower gateway focused on financial crime controls, and being registered is a legal precondition for operating rather than an endorsement of a firm's business model. Understanding that distinction is the starting point for any firm preparing an application.

This guide explains who needs to register, what the MLRs require, how the application process works step by step, and why the FCA has approved only a small minority of applicants since the regime began. It is general educational information about the framework, not legal or compliance advice for any particular firm.

What registration under the MLRs actually means

The MLRs place cryptoasset businesses within the UK's anti-money laundering and counter-terrorist financing framework. Under Regulation 56, a person must not act as a cryptoasset exchange provider or a custodian wallet provider unless they are included in the FCA's register of cryptoasset businesses. In plain terms, registration is a legal requirement to carry on business, not an optional badge.

The FCA is explicit that registration is not a recommendation or endorsement of a firm. It confirms that a business has satisfied the regulator on its money laundering and terrorist financing controls at the point of assessment. It does not signal that the firm's products are safe, that consumers are protected in the way they would be for authorised investment activity, or that the FCA has assessed the firm's wider conduct.

The regime exists to reduce the risk of cryptoasset services being used to launder money or finance terrorism, and the FCA's assessment focuses tightly on that objective, not on consumer protection.

Firms already authorised by the FCA for other activities, such as e-money or payment services, are not exempt. If they also carry on in-scope cryptoasset activity, they must register for that activity too.

Who needs a crypto FCA registration

Two categories of activity sit within scope under Regulation 14A of the MLRs. The first is the cryptoasset exchange provider, which covers exchanging cryptoassets for money or money for cryptoassets, exchanging one cryptoasset for another, and arranging those exchanges. This category also captures automated cryptoasset machines (crypto ATMs), peer-to-peer providers and issuers of new cryptoassets, such as initial coin offerings.

The second category is the custodian wallet provider. This covers firms that provide services to safeguard, or to safeguard and administer, cryptoassets on customers' behalf, or that safeguard the private cryptographic keys used to hold or move those cryptoassets.

To fall within the regime a firm must be carrying on the activity by way of business and in the course of business in the United Kingdom. The FCA assesses activity scope, the business-nature element and UK operational presence together.

A firm with no UK office or agents that simply allows UK customers to open accounts is not automatically treated as carrying on business in the UK. The assessment is fact-specific, so any firm with a UK nexus should consider its position carefully.

Why registration is not full FCA authorisation

A recurring source of confusion is the difference between MLR registration and authorisation under the Financial Services and Markets Act (FSMA). MLR registration is a targeted assessment of a firm's financial crime systems and controls. Full FSMA authorisation, by contrast, is a much broader assessment of a firm's business, its senior managers, its capital, its conduct and its ability to meet threshold conditions on an ongoing basis.

The UK is moving towards a dedicated FSMA regime for cryptoasset activity. The FCA has indicated that the FSMA authorisation gateway is expected to open on 30 September 2026, with the new regime expected to start on 25 October 2027. Firms carrying out regulated cryptoasset activities will need FSMA authorisation, and this will also apply to firms that are already registered under the MLRs.

Crucially, the FCA states that being registered under the MLRs does not guarantee authorisation under FSMA. The two processes are separate, even though firms will be able to apply for both once the new gateway opens. Existing registered firms should not assume their MLR status will carry them automatically into the FSMA regime.

In the meantime, MLR registration continues to operate, and firms that want to provide in-scope cryptoasset services in the UK before the new regime starts must still register before they begin trading. Preparing early for both regimes is sensible, and specialist support such as Nasara Authorise can help a firm understand how the two frameworks fit together.

The crypto FCA registration process step by step

The FCA runs the application through its Connect system. The process rewards firms that treat it as a serious systems-and-controls exercise rather than a form-filling task. Below is the broad shape of the journey, from preparation to decision.

A poorly prepared application is far more likely to be rejected on completeness grounds before the substantive assessment even begins. The FCA repeatedly stresses that omissions and draft documents are common reasons applications fail at the first hurdle.

The steps below summarise the FCA's published guidance on how to apply. Firms should always work from the current FCA pages and forms, as expectations are updated over time.

1
Study the framework
Read the MLRs and FCA guidance, then access the cryptoasset registration forms in Connect using your My FCA sign-in.
2
Request a pre-application meeting
Optionally submit your business model, AML framework and senior manager details through Connect for informal FCA feedback before applying.
3
Appoint your MLRO
Appoint a Money Laundering Reporting Officer with relevant cryptoasset experience, authority and independence, as they will be assessed for fitness and propriety.
4
Finalise your policies
Prepare board-approved, non-draft versions of all policies and documentation, as incomplete materials are a common reason for rejection.
5
Disclose fully
Answer every question completely and disclose all relevant information, as non-disclosure is treated seriously and false information may be a criminal offence.
6
Sign and pay
Obtain the correct signatures for your firm type and pay the Category 6 application fee before submission.
7
Submit through Connect
Submit the application via Connect; the FCA then assigns a case officer who may request further information.
8
Respond promptly
Reply quickly to any information requests and avoid implying FCA endorsement while the assessment is ongoing.
9
Await the decision
Once the FCA has all information needed, it has three months to decide, with a senior decision-maker making the final call.
10
Act on the outcome
If approved, receive your Firm Reference Number and register entry; if refused or rejected, follow the FCA's stated route for representations or reapplication.

How likely are you to be approved

The headline statistic is sobering. In its update to 1 September 2024, the FCA reported that since January 2020 only 14% of applications had resulted in registration under the MLRs. In other words, the large majority of firms that applied did not secure registration.

The outcomes that do not result in registration break down into rejections, refusals and withdrawals. A rejection typically reflects an application that lacked the minimum required information. A refusal follows a substantive assessment and comes with a Warning Notice and a right to make representations. A withdrawal is where the applicant itself pulls out, often because the FCA has raised concerns it cannot resolve.

Commentators have observed that, across the earlier years of the regime, well over 85% of applications were rejected, refused or withdrawn. This reflects both the technical demands of the AML framework and the fact that many early applicants were not ready for the FCA's scrutiny of financial crime controls.

The chart below shows the FCA's published split since January 2020: the 14% that resulted in registration and the remaining 86% that did not.

The practical lesson is that quality of preparation matters enormously. Firms with strong, tested AML systems, a genuinely capable MLRO and complete, board-approved documentation are far better placed than those treating registration as a formality.

FCA cryptoasset MLR application outcomes since January 2020 (to 1 September 2024)

Resulted in registration14%
Rejected, refused or withdrawn86%

What the FCA expects to see in a strong application

The FCA has been clear that the difference between success and failure usually lies in the quality and completeness of the application. Applications that answer every question fully, use final rather than draft documents and reflect the firm's real operating model tend to progress; those with gaps or generic policies tend not to.

A capable MLRO is central. The FCA expects this individual to have appropriate knowledge of UK regulation, relevant cryptoasset experience, and the authority and independence to monitor and manage compliance. A nominal appointment without real substance is a common failing.

Firms should also expect ongoing obligations once registered. Registered cryptoasset businesses must submit an annual financial crime reporting return, known as REP-CRIM, through the FCA's RegData system within 60 business days of their accounting reference date, and they must pay an annual periodic fee to remain registered.

Because the assessment is demanding and the approval rate is low, many firms invest in specialist preparation before they apply, so that their systems, controls and documentation are ready for FCA scrutiny rather than being built during the assessment.

Conclusion

Crypto FCA registration under the MLRs is a mandatory financial crime gateway, not a full licence and not an endorsement. Any firm providing cryptoasset exchange or custodian wallet services by way of business in the UK must be on the FCA's register before it starts trading, and the regulator's focus is squarely on the quality of the firm's anti-money laundering systems and controls.

With only 14% of applicants registered since January 2020 and the majority rejected, refused or withdrawn, the message is consistent. Preparation is everything, and firms should also watch the incoming FSMA regime, since MLR registration will not automatically translate into future authorisation. This guide is educational information about the framework and does not constitute legal or compliance advice.

Frequently asked questions

Is crypto FCA registration the same as being authorised by the FCA?

No. Registration under the MLRs is a narrower assessment focused on anti-money laundering and counter-terrorist financing controls. It is a legal requirement to carry on in-scope cryptoasset business, but it is not full authorisation under the Financial Services and Markets Act and it is not an endorsement of the firm's products. The FCA has confirmed that being registered under the MLRs does not guarantee authorisation under the forthcoming FSMA regime.

Which cryptoasset businesses have to register?

Cryptoasset exchange providers and custodian wallet providers that carry on that activity by way of business in the UK must register. Exchange activity includes exchanging cryptoassets for money or one cryptoasset for another, and covers crypto ATMs, peer-to-peer providers and issuers of new cryptoassets. Custodian wallet providers safeguard cryptoassets or the private keys on customers' behalf. Firms already authorised for other activities must still register if they also carry on in-scope crypto activity.

How long does the FCA take to decide a cryptoasset registration application?

Once the FCA has all the information it needs to make a determination, it has three months to reach a decision. In practice the overall timeline can be considerably longer, because the FCA frequently comes back with requests for further information, and the clock on the three-month period effectively runs from the point at which the application is genuinely complete.

What proportion of applicants actually get registered?

According to the FCA's update to 1 September 2024, only 14% of applications had resulted in registration under the MLRs since January 2020. The remaining applications were rejected, refused or withdrawn. Commentators have noted that well over 85% of applications across the earlier years did not lead to registration, which reflects the demanding nature of the FCA's financial crime assessment.

What happens if my application is refused rather than rejected?

A rejection usually means the application lacked the minimum required information, and a firm can resubmit once it has the complete information. A refusal follows a substantive assessment and comes with a Warning Notice setting out the FCA's reasons. The firm can make representations to the FCA's decision-maker, and if the refusal stands it receives a Decision Notice and can refer the matter to the Upper Tribunal.

What ongoing obligations apply once a firm is registered?

Registered cryptoasset businesses must maintain their anti-money laundering systems and controls and comply with the MLRs on an ongoing basis. They must submit an annual financial crime reporting return, REP-CRIM, through the FCA's RegData system within 60 business days of their accounting reference date, and they must pay an annual periodic fee to remain registered.

Ready to move money with confidence?

Nasara Authorise helps UK firms send and control payments with lower fees, better rates and full visibility.

Talk to an expert
Keep reading

More insights you will like.

Stay ahead of the curve

Practical guides and updates for UK firms, straight to your inbox.

Secure by designBank-grade security and encryption
Built for UK firmsMade for FCA-regulated businesses
Data protectedYour data stays private and controlled
Global reachCross-border payments worldwide